cry/flake
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: cry:f845588d00be1bff0858d98fbc078574c14bd40a
Branches Tags
cry:main
cry:pc/latest
cry:laptop
cry:lolcathost-24.05
cry:myputer
cry:lolcathost
...
compare: cry:648f53ae758b1e39acfd06f0270ffb2dc4c834fe
Branches Tags
cry:main
cry:pc/latest
cry:laptop
cry:lolcathost-24.05
cry:myputer
cry:lolcathost

8 commits
f845588d00 ... 648f53ae75

Author SHA1 Message Date
_cry64
648f53ae75 add TODO.md 2026-02-16 09:36:01 +10:00
_cry64
4ecb9ad03a progress flake 2026-02-16 09:35:57 +10:00
_cry64
ed8618c8a6 add default nixpkgs.nix 2026-02-16 09:35:47 +10:00
_cry64
b6202ad56a update hosts (+ update sshPort) 2026-02-16 09:35:29 +10:00
_cry64
821349be71 add flatpak + nh 2026-02-16 09:34:17 +10:00
_cry64
921741546e remove modules/server 2026-02-16 09:33:33 +10:00
_cry64
b22bb3217e update git config 2026-02-16 09:33:25 +10:00
_cry64
3b2e3ddaab add nginx overlay to overlays.nix 2026-02-16 09:32:40 +10:00
17 changed files with 217 additions and 227 deletions
Download patch file Download diff file Expand all files Collapse all files

10
TODO.md Normal file
View file

@ -0,0 +1,10 @@
- [ ] Update the README.md
- [ ] switch ssh keys to ECC (fuck RSA)
- [ ] migrate forge.dobutterfliescry.net -> tearforge.net
- [ ] rename forgejo user to git
- [ ] setup my own VPN
- [ ] connect match to my VPN
- [ ] use matcha to build stuff instead of using my laptop
- [ ] make `ceru` do local and remote deployments

134
flake.lock generated
View file

@ -3,12 +3,11 @@
"cerulean": {
"inputs": {
"deploy-rs": "deploy-rs",
"home-manager": "home-manager",
"microvm": "microvm",
"nixpkgs": [
"nixpkgs"
],
"nixpkgs-unstable": [
"nixpkgs-unstable"
],
"nt": [
"nt"
],
@ -17,20 +16,26 @@
]
},
"locked": {
"lastModified": 1770984845,
"narHash": "sha256-si6XCx0xGq3z7dZSVCx5NgVxgFdnTc1qaKro5IemG70=",
"path": "/home/me/cry/mk/Cerulean",
"type": "path"
"lastModified": 1771194110,
"narHash": "sha256-x6rijGWmPL5FTpkr+8vpcKKCOT33QHEV8bP6ibEAXFE=",
"owner": "cry128",
"repo": "Cerulean",
"rev": "d527937829dec0f410f126a2f85e374cb99a2fbb",
"type": "github"
},
"original": {
"path": "/home/me/cry/mk/Cerulean",
"type": "path"
"owner": "cry128",
"repo": "Cerulean",
"type": "github"
}
},
"deploy-rs": {
"inputs": {
"flake-compat": "flake-compat",
"nixpkgs": "nixpkgs",
"nixpkgs": [
"cerulean",
"nixpkgs"
],
"utils": "utils"
},
"locked": {
@ -166,6 +171,7 @@
"home-manager": {
"inputs": {
"nixpkgs": [
"cerulean",
"nixpkgs"
]
},
@ -184,6 +190,49 @@
"type": "github"
}
},
"home-manager_2": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1770260404,
"narHash": "sha256-3iVX1+7YUIt23hBx1WZsUllhbmP2EnXrV8tCRbLxHc8=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "0d782ee42c86b196acff08acfbf41bb7d13eed5b",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "release-25.11",
"repo": "home-manager",
"type": "github"
}
},
"microvm": {
"inputs": {
"nixpkgs": [
"cerulean",
"nixpkgs"
],
"spectrum": "spectrum"
},
"locked": {
"lastModified": 1770310890,
"narHash": "sha256-lyWAs4XKg3kLYaf4gm5qc5WJrDkYy3/qeV5G733fJww=",
"owner": "microvm-nix",
"repo": "microvm.nix",
"rev": "68c9f9c6ca91841f04f726a298c385411b7bfcd5",
"type": "github"
},
"original": {
"owner": "microvm-nix",
"repo": "microvm.nix",
"type": "github"
}
},
"nix-flatpak": {
"locked": {
"lastModified": 1767983141,
@ -270,16 +319,16 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1743014863,
"narHash": "sha256-jAIUqsiN2r3hCuHji80U7NNEafpIMBXiwKlSrjWMlpg=",
"owner": "NixOS",
"lastModified": 1770770419,
"narHash": "sha256-iKZMkr6Cm9JzWlRYW/VPoL0A9jVKtZYiU4zSrVeetIs=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "bd3bac8bfb542dbde7ffffb6987a1a1f9d41699f",
"rev": "6c5e707c6b5339359a9a9e215c5e66d6d802fd7a",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"owner": "nixos",
"ref": "nixos-25.11",
"repo": "nixpkgs",
"type": "github"
}
@ -316,22 +365,6 @@
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1770770419,
"narHash": "sha256-iKZMkr6Cm9JzWlRYW/VPoL0A9jVKtZYiU4zSrVeetIs=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "6c5e707c6b5339359a9a9e215c5e66d6d802fd7a",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-25.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1767313136,
"narHash": "sha256-16KkgfdYqjaeRGBaYsNrhPRRENs0qzkQVUooNHtoy2w=",
@ -350,18 +383,21 @@
"nt": {
"inputs": {
"nix-unit": "nix-unit",
"nixpkgs": "nixpkgs_3",
"nixpkgs": "nixpkgs_2",
"systems": "systems_2"
},
"locked": {
"lastModified": 1770975061,
"narHash": "sha256-dedEcQSEzur2/pBcxFFygkSrMuKGOUWThOUD2LXMCsA=",
"path": "/home/me/cry/mk/nt",
"type": "path"
"lastModified": 1770975056,
"narHash": "sha256-ZXTz/P3zUbbM6lNXzt91u8EwfNqhXpYMu8+wvFZqQHE=",
"owner": "cry128",
"repo": "nt",
"rev": "f42dcdd49a7921a7f433512e83d5f93696632412",
"type": "github"
},
"original": {
"path": "/home/me/cry/mk/nt",
"type": "path"
"owner": "cry128",
"repo": "nt",
"type": "github"
}
},
"root": {
@ -369,15 +405,31 @@
"cerulean": "cerulean",
"dobutterfliescry-net": "dobutterfliescry-net",
"grub2-themes": "grub2-themes",
"home-manager": "home-manager",
"home-manager": "home-manager_2",
"nix-flatpak": "nix-flatpak",
"nixcord": "nixcord",
"nixpkgs": "nixpkgs_2",
"nixpkgs": "nixpkgs",
"nixpkgs-unstable": "nixpkgs-unstable",
"nt": "nt",
"systems": "systems_3"
}
},
"spectrum": {
"flake": false,
"locked": {
"lastModified": 1759482047,
"narHash": "sha256-H1wiXRQHxxPyMMlP39ce3ROKCwI5/tUn36P8x6dFiiQ=",
"ref": "refs/heads/main",
"rev": "c5d5786d3dc938af0b279c542d1e43bce381b4b9",
"revCount": 996,
"type": "git",
"url": "https://spectrum-os.org/git/spectrum"
},
"original": {
"type": "git",
"url": "https://spectrum-os.org/git/spectrum"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,

9
flake.nix
View file

@ -12,16 +12,15 @@
inputs.nixpkgs.follows = "nixpkgs";
};
# nt.url = "github:cry128/nt";
nt.url = "/home/me/cry/mk/nt";
nt.url = "github:cry128/nt";
# nt.url = "/home/me/cry/mk/nt";
cerulean = {
# url = "github:cry128/Cerulean";
url = "/home/me/cry/mk/Cerulean";
url = "github:cry128/Cerulean";
# url = "/home/me/cry/mk/Cerulean";
inputs = {
systems.follows = "systems";
nixpkgs.follows = "nixpkgs";
nixpkgs-unstable.follows = "nixpkgs-unstable";
nt.follows = "nt";
};
};

7
groups/all/default.nix
View file

@ -24,6 +24,13 @@
];
};
programs.nh = {
enable = true;
clean.enable = true;
clean.extraArgs = "--keep-since 7d --keep 3";
flake = "/home/me/flake"; # sets NH_OS_FLAKE variable for you
};
nix.settings = {
# make wheel group trusted users allows my "ae" user
# to import packages not signed by a trusted key

14
groups/all/modules/flatpak.nix
View file

@ -1,12 +1,12 @@
{...}: {
services.flatpak = {
remotes = [
{
location = "https://dl.flathub.org/repo/flathub.flatpakrepo";
name = "flathub";
}
];
# DEBUG: remotes = [
# DEBUG: {
# DEBUG: location = "https://dl.flathub.org/repo/flathub.flatpakrepo";
# DEBUG: name = "flathub";
# DEBUG: }
# DEBUG: ];
uninstallUnmanaged = true;
# DEBUG: uninstallUnmanaged = true;
};
}

3
groups/cryde/default.nix
View file

@ -109,9 +109,6 @@
};
systemPackages = with pkgs; [
sddm-theme-corners
# dependencies for my sddm theme:
# XXX: add these as a buildInput
# pkgs.libsForQt5.qt5.qtgraphicaleffects
];
};

2
groups/cryos/programs.nix
View file

@ -19,7 +19,7 @@
hexyl
# ASM
nasm
# x86-manpages # DEBUG
x86-manpages
# C Family
gcc
clang

22
groups/server/default.nix
View file

@ -1,7 +1,7 @@
{lib, ...}: {
networking.firewall = {
allowedTCPPorts = [
22
42069 # ssh
];
};
@ -9,7 +9,7 @@
# accept Lets Encrypt's security policy
acme = {
acceptTerms = true;
defaults.email = "them@dobutterfliescry.net";
defaults.email = "eclarkboman@gmail.com";
};
sudo = {
@ -26,7 +26,7 @@
services = {
openssh = {
enable = true;
ports = [22];
ports = [42069];
settings = {
PasswordAuthentication = false;
PermitRootLogin = "no";
@ -37,6 +37,22 @@
};
};
# simple fail2ban config (not production ready or anything though)
# refer to: https://nixos.wiki/wiki/Fail2Ban
services.fail2ban = {
enable = true;
maxretry = 5;
bantime = "10m"; # 10 minute ban
bantime-increment = {
enable = true;
formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";
# multipliers = "1 2 4 8 16 32 64";
maxtime = "168h"; # dont ban for more than 1 week
overalljails = true;
};
};
users = {
users = {
# primary user

38
homes/me/default.nix
View file

@ -106,42 +106,30 @@
};
# set ssh profiles
# NOTE: (IMPORTANT) this DOES NOT start the ssh-agent
# for that you need to use `services.ssh-agent.enable`
# WARNING: this DOES NOT start the ssh-agent
# WARNING: for that you need to use `services.ssh-agent.enable`
ssh = {
enable = true;
forwardAgent = false;
addKeysToAgent = "no";
addKeysToAgent = "yes";
matchBlocks = {
hyrule = {
hostname = "imbored.dev";
user = "ae";
port = 22;
identityFile = "~/.ssh/id_hyrule";
butterfly = {
hostname = "dobutterfliescry.net";
user = "cry";
port = 42069;
identityFile = "~/.ssh/id_butterfly";
setEnv = {
TERM = "linux";
};
};
clocktown = {
hostname = "clocktown.dobutterfliescry.net";
user = "root";
port = 22;
identityFile = "~/.ssh/id_clocktown";
};
subspace = {
hostname = "imbored.dev";
user = "subspace";
port = 22;
identityFile = "~/.ssh/id_subspace";
};
dead = {
hostname = "deadlyserver.com";
user = "emile";
port = 29843;
identityFile = "~/.ssh/id_deadlyserver";
hostname = "hyrule.dobutterfliescry.net";
user = "cry";
port = 42069;
identityFile = "~/.ssh/id_hyrule";
setEnv = {
TERM = "xterm-256color";
TERM = "linux";
};
};
youcue = {

24
homes/modules/git.nix
View file

@ -7,24 +7,24 @@
enable = true;
lfs.enable = true;
userName = "_cry64";
userEmail = "them@dobutterfliescry.net";
signing = {
# key = "F68745A836CA0412";
# format = "openpgp";
# signByDefault = true;
};
aliases = {
s = "status";
d = "diff";
l = "log";
c = "commit";
p = "push";
};
settings = {
user.name = "_cry64";
user.email = "them@dobutterfliescry.net";
alias = {
s = "status";
d = "diff";
l = "log";
c = "commit";
p = "push";
};
extraConfig = {
color.ui = true;
core.editor = "hx";
github.user = "cry128";
@ -51,7 +51,7 @@
"codeberg:"
];
};
"forgejo@forge.dobutterfliescry.net:2222/" = {
"git@tearforge.net/" = {
insteadOf = [
"cry:"
"forge:"

17
homes/modules/server/fail2ban.nix
View file

@ -1,17 +0,0 @@
{...}: {
# simple fail2ban config (not production ready or anything though)
# refer to: https://nixos.wiki/wiki/Fail2Ban
services.fail2ban = {
enable = true;
maxretry = 5;
bantime = "10m"; # 10 minute ban
bantime-increment = {
enable = true;
formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";
multipliers = "1 2 4 8 16 32 64";
maxtime = "168h"; # dont ban for more than 1 week
overalljails = true;
};
};
}

35
homes/modules/server/nginx.nix
View file

@ -1,35 +0,0 @@
{...}: {
services = {
# use nginx as the reverse proxy
# (also will use certbot and Let's Encrypt)
# refer to: https://nixos.wiki/wiki/Nginx
nginx = {
enable = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
# https://imbored.dev
virtualHosts = {
"imbored.dev" = {
forceSSL = true;
enableACME = true;
# config reverse proxy paths
locations = {
"/" = {
# TODO
proxyPass = "http://127.0.0.1:12345";
};
};
};
};
};
};
security.acme = {
acceptTerms = true;
defaults.email = "eclarkboman@gmail.com";
};
}

13
homes/modules/server/ssh.nix
View file

@ -1,13 +0,0 @@
{...}: {
services.openssh = {
enable = true;
ports = [22];
settings = {
PasswordAuthentication = true;
PermitRootLogin = "no";
AllowUsers = null; # allow all users by default
UseDns = true;
X11Forwarding = false;
};
};
}

70
hosts/butterfly/services/nginx.nix
View file

@ -1,30 +1,13 @@
{
inputs,
pkgs,
...
}: {
nixpkgs.overlays = [
(self: super: {
# in wake of CVE-2022-3602/CVE-2022-3786
nginxStable = super.nginxStable.override {openssl = pkgs.libressl;};
})
inputs.dobutterfliescry-net.overlays.default
];
# simple nginx instance to host static construction page
# TODO: I want sshd and forgejo's ssh server to both be bound to port 22
# So change sshd to listen on a different address/port (ie 2222 or 127.0.0.3:22, etc)
# and change forgejo to use 127.0.0.2:22 (use port 22, ONLY change loopback address)
{pkgs, ...}: {
services.nginx = {
enable = true;
# XXX: TODO: this should auto use the nginxStable overlay no?
# in wake of CVE-2022-3602/CVE-2022-3786
# package = pkgs.nginxStable.override {openssl = pkgs.libressl;};
# NOTE: in wake of CVE-2022-3602/CVE-2022-3786 nginxStable is overlayed
package = pkgs.nginx;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
# recommendedGzipSettings = true;
# recommendedOptimisation = true;
# recommendedProxySettings = true;
# recommendedTlsSettings = true;
# streamConfig = ''
# server {
@ -43,40 +26,33 @@
enableACME = true;
# kTLS = true; # offload TLS to the linux kernel
};
vault =
{
forceSSL = true;
locations."/".proxyPass = "${localhost}:8222";
}
// std;
forge =
{
forceSSL = true;
extraConfig = ''
client_max_body_size 512M;
'';
locations."/".proxyPass = "${localhost}:3000";
}
// std;
in {
"dobutterfliescry.net" =
{
default = true;
addSSL = true; # not strictly enforced <3
# root = "/var/www/cry";
addSSL = true; # addSSL NOT forceSSL <3
root = "${pkgs.dobutterfliescry-net}/www";
# extraConfig = ''
# error_page 404 /custom_404.html;
# '';
}
// std;
# Route "vault" subdomain to vaultwarden
"vault.imbored.dev" = vault;
# Route "forge" subdomain to forgejo
# TODO: use `forgejo.settings.server.ENABLE_ACME` instead?
"vault.imbored.dev" =
{
forceSSL = true;
locations."/".proxyPass = "${localhost}:8222";
}
// std;
# "tearforge.net" =
# {
# forceSSL = true;
# extraConfig = ''
# client_max_body_size 512M;
# '';
# locations."/".proxyPass = "${localhost}:3000";
# }
# // std;
# "tearforge.net" = forge;
"forge.dobutterfliescry.net" = forge;
};
};
}

19
nixpkgs.nix
View file

@ -3,15 +3,17 @@
inputs,
system,
...
}: {
nixpkgs.channels.default = {
} @ args: {
nixpkgs.channels.default = rec {
default = pkgs;
# nixpkgs (stable branch)
pkgs = {
inherit system;
source = inputs.nixpkgs;
overlays =
[inputs.dobutterfliescry-net.overlays.default]
++ import ./overlays/default.nix;
overlays = [
inputs.dobutterfliescry-net.overlays.default
(import ./overlays/default.nix args)
];
config = {
# allowUnfree = false;
allowBroken = false;
@ -31,9 +33,10 @@
upkgs = {
inherit system;
source = inputs.nixpkgs-unstable;
overlays =
[inputs.dobutterfliescry-net.overlays.default]
++ import ./overlays/default.nix;
overlays = [
inputs.dobutterfliescry-net.overlays.default
(import ./overlays/default.nix args)
];
config = {
allowUnfree = false;
allowBroken = false;

12
overlays/default.nix
View file

@ -1,5 +1,5 @@
[
(self: super: {
{inputs, ...}: (
self: super: {
angry-oxide = import ../packages/angryoxide {
pkgs = super;
inherit
@ -18,6 +18,10 @@
pkgs = super;
};
# in wake of CVE-2022-3602/CVE-2022-3786
nginxStable = super.nginxStable.override {openssl = super.libressl;};
nginx = super.nginx.override {openssl = super.libressl;};
element-desktop = super.element-desktop.overrideAttrs (final: prev: {
desktopItems = [
((builtins.elemAt prev.desktopItems 0).override {
@ -25,5 +29,5 @@
})
];
});
})
]
}
)

15
snow.nix
View file

@ -13,10 +13,6 @@ cerulean.mkNexus ./. (self: {
server = {};
};
extraModules = with inputs; [
home-manager.nixosModules.default
];
nodes = let
inherit
(self.nexus)
@ -47,14 +43,21 @@ cerulean.mkNexus ./. (self: {
butterfly = {
system = "x86_64-linux";
groups = [groups.server];
deploy.ssh.host = "dobutterfliescry.net";
deploy.ssh = {
host = "dobutterfliescry.net";
user = "cry";
port = 42069;
};
};
# pls dont sue me im broke
hyrule = {
system = "x86_64-linux";
groups = [groups.server];
deploy.ssh.host = "hyrule.dobutterfliescry.net";
deploy.ssh = {
host = "hyrule.dobutterfliescry.net";
user = "cry";
};
};
# call me a statistician the way she spreads in my sheets